CN109547452B - Method and system for realizing TCP transparent proxy on Linux network bridge equipment - Google Patents

Method and system for realizing TCP transparent proxy on Linux network bridge equipment Download PDF

Info

Publication number
CN109547452B
CN109547452B CN201811458579.0A CN201811458579A CN109547452B CN 109547452 B CN109547452 B CN 109547452B CN 201811458579 A CN201811458579 A CN 201811458579A CN 109547452 B CN109547452 B CN 109547452B
Authority
CN
China
Prior art keywords
tcp
host
message
linux
data message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811458579.0A
Other languages
Chinese (zh)
Other versions
CN109547452A (en
Inventor
陈阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Andi Technology Industrial Co Ltd
Original Assignee
Sichuan Andi Technology Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Andi Technology Industrial Co Ltd filed Critical Sichuan Andi Technology Industrial Co Ltd
Priority to CN201811458579.0A priority Critical patent/CN109547452B/en
Publication of CN109547452A publication Critical patent/CN109547452A/en
Application granted granted Critical
Publication of CN109547452B publication Critical patent/CN109547452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/59Network arrangements, protocols or services for addressing or naming using proxies for addressing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to the technical field of network communication, overcomes the problem that a proxy server is only a link layer bridge device and cannot realize a TCP transparent proxy function when a network layer is respectively unreachable with a host A and a host B, and provides a method for realizing TCP transparent proxy on a Linux bridge device, which comprises the following steps: the method comprises the steps of converting a target address of a communication connection with an original request message and redirecting the communication connection to a TCP proxy process, marking a message by the TCP proxy process to initiate a new communication connection request to a host B, configuring a strategy path to bypass routing selection of the message marked with the mark, converting a source address and sending the message to a bridge module, converting a destination MAC address and a source MAC address of the message with the mark into corresponding values in the original request message, filling an Ethernet header in the message and sending the message to a link layer target host of the original request message, and thus realizing the connection of the host A and the host B.

Description

Method and system for realizing TCP transparent proxy on Linux network bridge equipment
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and a system for TCP transparent proxy.
Background
The principle of the existing bidirectional TCP transparent proxy acceleration is as follows: as shown in fig. 1, between a host a and a host B communicating by a TCP protocol, a TCP Proxy server C is placed at a position close to the host a, and a TCP Proxy server D is placed at a position close to the host B, so that a link with high delay and high packet loss rate is located between the TCP Proxy server C and the TCP Proxy server D, when the host a initiates a TCP connection to the host B and in the case of no perception of the host a and the host B, a TCP flow is intercepted to the TCP Proxy server C, and the TCP Proxy server C re-initiates the TCP connection, transmits A, B data, and optimizes a congestion control policy for a congestion condition of the link. In terms of implementation, the industry generally adopts iptables + TCP Proxy to implement, and redirects a TCP connection initiated by a host a to a host B to the TCP Proxy on the TCP Proxy server C through a DNAT (destination address translation) function of iptables on the TCP Proxy server C, where the TCP Proxy masquerades as the host B, accepts a connection request of the host a, and masquerades as the host a to initiate a new TCP connection to the host B. When the new TCP connection passes through the TCP Proxy server D, the new TCP connection is redirected to the TCP Proxy program on the TCP Proxy server D by adopting the same mode, and finally the connection is established between the host computer D and the host computer B, and in the whole process, the host computer A and the host computer B cannot sense the existence of the TCP Proxy server C and the TCP Proxy server D. By adopting the method, the TCP connection from the host A to the host B is divided into three sections, and the TCP Proxy server C and the TCP Proxy server D can perform better and more accurate TCP congestion control on a congestion link clamped between the TCP Proxy server C and the TCP Proxy server D, so that the acceleration of the TCP connection is realized.
The method for adopting the traditional TCP transparent connection Proxy needs to have the basic premise that the TCP Proxy server C can normally establish TCP connection with the host A in a network layer with the host A, and the TCP Proxy server D can normally establish TCP connection with the host B in a network layer with the host B, so that the TCP flow between the host A and the host B can be proxied and forwarded. When the TCP Proxy server C and the TCP Proxy server D are devices working in a network layer, such as a router or an NAT (network address translation) gateway, the implementation may be performed by using a conventional method; however, when the TCP Proxy server C and the TCP Proxy server D are only link layer Linux bridge devices and are not reachable in the network layer from the host a and the host B, respectively, for example, the IP addresses of the TCP Proxy server C and the TCP Proxy server D and the IP addresses of the host a and the host B are located in different network segments, the conventional method cannot achieve the TCP transparent Proxy acceleration function. In an actual ethernet network environment, a Linux bridge device is usually configured in a separate VLAN (virtual local area network) for management, the IP address of the Linux bridge device is not in the same network segment with a host which relies on the Linux bridge for TCP communication, and the Linux bridge device and the hosts can be understood as being reachable at a link layer but not reachable at a network layer; meanwhile, when forwarding the ethernet data frames of a plurality of VLANs through the network bridge, each VLAN corresponds to a different IP network segment, and when the number of VLANs is large, it is difficult to ensure that the host network layer of each VLAN can be reached by configuring the network bridge IP address; even if the Linux bridge device can have a corresponding IP address in each VLAN through configuration, the problem that when a destination address of TCP connection requiring proxy needs to be forwarded through a default gateway of a certain VLAN cannot be solved, because each VLAN has a different default gateway, but the Linux bridge device can only configure one default gateway, which is not necessarily reachable to the destination address.
Chinese patent publication No. CN102447708B discloses a communication implementation method of application layer transparent proxy technology, which directly implements proxy by means of two-layer forwarding of a network protocol stack, and the method only uses the IP address of a server as a source address to establish TCP connection with a client, and when a route is not reachable between the client and a proxy service host, it is impossible to implement "response packet forwarding through a data link layer, leading to the client", and the data packet will be discarded when routing is performed. That is, this method cannot solve the TCP proxy problem when the proxy server is a bridge device that is not reachable at the network layer with a and B hosts (not as different segments as IP).
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the method and the system for realizing the TCP transparent proxy on the Linux bridge device solve the problem that the proxy server is only a link layer Linux bridge device and cannot realize the TCP transparent proxy function when a network layer is respectively unreachable with a host A and a host B.
The invention solves the technical problems and adopts the technical scheme that:
the method for realizing TCP transparent proxy on Linux network bridge equipment comprises the steps of establishing TCP connection between a host A and a host B, and processing TCP data messages between the host A and the host B after the TCP connection is established, wherein the step of establishing the TCP connection between the host A and the host B comprises the following steps:
s1, sending a SYN message request of TCP to a host B by the host A to establish TCP connection, and recording the SYN message as a SYN message I;
s2, intercepting the SYN message I by the Linux bridge device, recording the information of the SYN message I, redirecting the TCP connection to a TCP agent process module in the Linux bridge device, disguising that a host B sends a corresponding SYN ACK message to a host A by the TCP agent process module, and replying the corresponding ACK message by the host A, so that the Linux bridge device completes the establishment of the TCP connection with the host A and records the Socket corresponding to the TCP connection as Socket 1;
s3, the TCP proxy process module sends a SYN message request of TCP to the host B to establish TCP connection, the SYN message is recorded as SYN message two, the Socket corresponding to the TCP connection is recorded as Socket2, and the messages sent out through the Socket2 are all marked and recorded as Mark X;
s4, enabling a SYN message II with Mark X to bypass the routing selection inside the Linux bridge device through the configured strategy routing, performing source address conversion, and converting a source IP address and a source port in the SYN message II into a source IP address and a source port in the SYN message I; enabling the SYN message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the SYN message II to a network bridge module in the Linux network bridge equipment;
s5, intercepting a SYN message II, performing destination address conversion, and converting a destination MAC address and a source MAC address of the SYN message II into a destination MAC address and a source MAC address in the SYN message I; filling the Ethernet header in the SYN message II and sending the SYN message II to the link layer destination host of the SYN message I;
and S6, replying a corresponding SYN ACK message after the host B receives the SYN message II, redirecting the SYN ACK message to a TCP agent process module, and replying a corresponding ACK message by the TCP agent process module, so that the Linux bridge device is disguised as the host A to complete the establishment of the TCP connection with the host B.
Preferably, the TCP data packet processing between the host a and the host B includes TCP data packet processing from the host a to the host B, and the TCP data packet processing from the host a to the host B includes the following steps:
t1, the host A sends TCP data message to the host B, and the TCP data message is marked as TCP data message one;
the T2 and Linux bridge equipment intercept the TCP data message I, redirect the TCP data message I to a TCP proxy process module, read the data carried by the TCP data message I through a Socket1 by the TCP proxy process module, send the read data out through a Socket2, and record the TCP data message sent out from the Socket2 as a TCP data message II;
t3, enabling the TCP data message II to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message II into the source IP address and the source port in the TCP data message I; enabling the TCP data message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the TCP data message II to a network bridge module in the Linux network bridge equipment;
t4, intercepting a TCP data message II, and converting a destination MAC address and a source MAC address of the TCP data message II into a destination MAC address and a source MAC address in the TCP data message I; and filling the Ethernet header in the TCP data message II and sending the TCP data message II to the link layer destination host of the TCP data message I.
Preferably, the TCP data packet processing between the host a and the host B includes TCP data packet processing from the host B to the host a, and the TCP data packet processing from the host B to the host a includes the following steps:
u1, host B sends TCP data message to host A, and it is marked as TCP data message three;
the U2 and the Linux bridge device intercept the TCP data message III, redirect the TCP data message III to the TCP proxy process module, the TCP proxy process module reads data carried by the TCP data message III through a Socket2, sends out the data carried by the TCP data message III through the Socket1 and marks the data, the Mark is marked as Mark Y, and the TCP data message sent out from the Socket1 is marked as TCP data message IV;
u3, enabling the TCP data message IV to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message IV into the source IP address and the source port in the TCP data message III; the TCP data message IV bypasses the ARP query process in the Linux network bridge equipment through the configured static ARP, and the TCP data message IV is sent to a network bridge module in the Linux network bridge equipment;
u4, intercepting a TCP data message IV, and converting a destination MAC address and a source MAC address of the TCP data message IV into a destination MAC address and a source MAC address in a TCP data message III; and filling the Ethernet header in the TCP data message four and sending the TCP data message four to the link layer destination host of the TCP data message one.
Preferably, the step of intercepting, by the Linux bridge device, the SYN message one in step S2 includes: adopting a netfilter module in Linux network bridge equipment to add HOOK at a PREROUTING point to intercept the SYN message I;
when the step T2 exists, the step of intercepting the TCP data message by the Linux bridge device in the step T2 includes: intercepting the TCP data message I by adopting HOOK added by a netfilter module in Linux network bridge equipment at a PREROUTING point;
when the step U2 exists, the step of intercepting the TCP data packet by the Linux bridge device in the step U2 includes: and intercepting the TCP data message III by adopting a HOOK point added at a PREROUTING point by a netfilter module in the Linux bridge equipment.
Preferably, the step S2 of recording the first SYN message includes at least recording a source IP address, a destination IP address, a source port, a destination port, a source MAC address, and a destination MAC address of the first SYN message.
Preferably, the step of redirecting the TCP connection to the TCP proxy process module in the Linux bridge device in step S2 includes: performing target address conversion to convert a target IP address and a target port in the SYN message I into a local IP address of the Linux network bridge equipment and a port monitored by a TCP agent process module;
when the step T2 exists, the step of redirecting the TCP datagram one to the TCP proxy process module in the step T2 includes: performing target address conversion to convert a target IP address and a target port in the TCP data message I into a local IP address of the Linux network bridge equipment and a port monitored by the TCP agent process module;
when the step U2 exists, the step of redirecting the TCP data packet three to the TCP proxy process module in the step U2 includes: and converting the target address into a local IP address of the Linux network bridge equipment and a port monitored by the TCP agent process module.
Preferably, in step S3, the step of disguising that the host a sends the SYN message of TCP to the host B to request to establish a TCP connection by the TCP proxy process module includes: and the TCP proxy process module acquires the destination IP address and the destination port of the SYN message I, and creates a Socket2 according to the destination IP address and the destination port.
Preferably, the configured policy routing is to forward the message with the Mark X or MrakY through a set gateway in the same network segment with the bridge module; and the configured static ARP is to set a destination MAC address in a message with Mark X or MrakY as the destination MAC address of the gateway.
Preferably, the method for intercepting the SYN message in step S5 is as follows: adopting a netfilter module in Linux network bridge equipment to add HOOK to intercept a SYN message II before the MAC address is looked up, and recording the HOOK point as BR _ ENTRY;
when the step T4 exists, a netfilter module in the Linux bridge equipment is adopted to add HOOK before the MAC address is looked up to intercept a TCP data message II;
when the step U4 exists, a netfilter module in the Linux bridge device is used to add HOOK before the MAC address lookup is performed to intercept the TCP data message four.
In order to solve the technical problem, the invention also provides a system for realizing the TCP transparent proxy on the Linux bridge device, which comprises the Linux bridge device, wherein the Linux bridge device comprises a bridge module, a TCP proxy kernel module, a routing module, an address conversion module, a Socket communication module and a TCP proxy process module;
the bridge module is used for communication of a data link layer;
the TCP proxy kernel module is used for intercepting and capturing messages, recording message information, and modifying a destination MAC address and a source MAC address of the messages according to needs, and comprises a netfilter module;
the route selection module is used for executing a normal route forwarding function;
the address translation module is used for realizing the functions of source address translation and destination address translation;
the Socket communication module is used for establishing a Socket between the TCP agent process module and the host A and a Socket between the TCP agent process module and the host B;
the TCP agent process module is used for disguising a target host and establishing TCP connection with a source host, and disguising the source host and establishing new TCP connection with the target host, wherein the host A and the host B are a source host and a target host;
the address resolution module is used for ARP inquiry.
The invention has the beneficial effects that:
when the host A and the host B are not in the same network segment, the original message of the host A is intercepted and sent to a bridge module by bypassing routing and ARP query, the source port and the source IP address of the sent data packet are modified to be the source port and the source IP address in the original message, and before the bridge selects the sending port through the destination MAC address, the destination MAC address and the source MAC address of the Ethernet head of the data packet are changed into the destination MAC address and the source MAC address of the original message and then sent to the link layer destination host of the original message. Therefore, the TCP transparent proxy function of the host A and the host B can be realized when the proxy server is only a link layer bridge device and is respectively unreachable with the host A and the host B in a network layer.
Drawings
FIG. 1 is a diagram of a topology according to the background of the invention;
fig. 2 is a topology structural diagram of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below.
As shown in fig. 2, the idea of the present invention is exemplified by the case where the link layer of the host a and the Linux bridge device is reachable and the link layer of the host B and the Linux bridge device is also reachable, where the system for implementing the TCP transparent proxy on the Linux bridge device includes the Linux bridge device, and the Linux bridge device includes a bridge module, a TCP proxy kernel module, a routing module, an address conversion module, a Socket communication module, and a TCP proxy process module.
The bridge module is used for communication of a data link layer;
the TCP proxy kernel module is used for intercepting and capturing messages, recording message information, and modifying a destination MAC address and a source MAC address of the messages according to needs, and comprises a netfilter module;
the route selection module is used for executing a normal route forwarding function.
The address translation module is used for realizing the functions of source address translation and destination address translation;
the Socket communication module comprises a Socket1 and a Socket2, wherein the Socket1 is a Socket used for initiating communication between the host A and a TCP agent program disguised as the host B; socket2 is a Socket corresponding to a new TCP connection initiated after the TCP proxy is disguised as host a.
The TCP agent process module works in a process of a user state, and has the functions of disguising a target host and a source host to establish TCP connection and disguising a source host and a target host to establish new TCP connection, and the host A and the host B mutually establish the source host and the target host according to different communication directions.
The address resolution module is used for ARP inquiry.
The Netfilter module is a subsystem introduced by Linux 2.4.x, and serves as a general abstract framework to provide a complete set of management mechanism of HOOK functions, the Netfilter module framework is that a plurality of detection points (HOOK points) are placed at a plurality of positions of the whole network flow, a HOOK function (HOOK) can be registered at each detection point, and a data packet can enter the HOOK function to be internally processed when passing through the HOOK points. Both PREROUTING and BR _ ENTRY below are HOOK points for netfilter modules.
The method for realizing TCP transparent proxy on Linux network bridge equipment comprises the steps of establishing TCP connection between a host A and a host B, and processing TCP data messages between the host A and the host B after the TCP connection is established, wherein the step of establishing the TCP connection between the host A and the host B comprises the following steps:
s1, sending a SYN message request of TCP to a host B by the host A to establish TCP connection, and recording the SYN message as a SYN message I;
s2, intercepting a SYN message I by the Linux bridge device, recording information of the SYN message I, redirecting the TCP connection to a TCP proxy process module in the Linux bridge device, disguising that a host B sends a corresponding SYN ACK message to a host A by the TCP proxy process module, and replying the corresponding ACK message by the host A, so that the Linux bridge device completes the establishment of the TCP connection with the host A and records a Socket corresponding to the TCP connection as Socket 1;
in order to ensure that the SYN message i can be accurately intercepted, the step of intercepting the SYN message i by the Linux bridge device includes: adopting a netfilter module in Linux network bridge equipment to add HOOK at a PREROUTING point to intercept a SYN message I; in order to ensure the subsequent source address translation and destination address translation to proceed smoothly, record the information of the SYN message one, which includes the source IP address, destination IP address, source port, destination port, source MAC address and destination MAC address of the SYN message one, and if there is a virtual local area network, record the VLAN (virtual local area network) number.
Redirecting the TCP connection to a TCP proxy process module within the Linux bridge device may comprise: and converting the destination IP address and the destination port in the SYN message I into a local IP address of the Linux network bridge device and a port monitored by the TCP agent process module by the address conversion module, so that the TCP connection is redirected to the TCP agent process module in the Linux network bridge device.
S3, the TCP proxy process module sends a SYN message request of TCP to the host B to establish TCP connection, the SYN message is recorded as SYN message two, the Socket corresponding to the TCP connection is recorded as Socket2, and the messages sent out through the Socket2 are all marked and recorded as Mark X;
the TCP agent process module acquires a destination IP address and a destination port of the SYN message I, and creates a Socket2 according to the destination IP address and the destination port, at the moment, a source IP address and a source port of the SYN message II are respectively an IP address of a Linux bridge device where the TCP agent process module is located and a port monitored by a Socket2, the destination address and the destination port of the SYN message II are consistent with those of the SYN message I, and in order to facilitate that subsequent policy routing and static APR can perform special processing when acquiring messages with relevant marks, marks Mark X are set on the messages sent out through the Socket 2.
S4, enabling a SYN message II with Mark X to bypass the routing selection inside the Linux bridge device through the configured strategy routing, performing source address conversion, and converting a source IP address and a source port in the SYN message II into a source IP address and a source port in the SYN message I; enabling the SYN message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the SYN message II to a network bridge module in the Linux network bridge equipment;
the message with the Mark Mark X or MarkY can be forwarded through the set gateway which is in the same network segment with the network bridge module through the configured strategy route, so that the route selection module is deceived to ensure that the target host three-layer data can be reached, and the data packet or the message cannot be discarded; for example, when the IP address of the bridge module is 1.1.1.2, the IP address of the gateway is set to 1.1.1.1, and the MAC address of the gateway is set to any one of the valid unicast MAC addresses, such as a 0: 11:22:33:44:55, and forwarding the SYN message with the Mark X through the gateway of 1.1.1.1 according to the policy routing setting. The address translation module carries out source address translation and translates a source IP address and a source port in the SYN message II into a source IP address and a source port in the SYN message I; and sending the SYN message two to a bridge module in the Linux bridge device by bypassing an ARP query process in the Linux bridge device through the configured static ARP, wherein the static ARP can be a MAC address which is obtained by setting a destination MAC address in a message with Mark X or MrakY as a destination MAC address of the gateway, that is, the example a 0: 11:22:33:44: 55;
s5, intercepting a SYN message II, performing destination address conversion, and converting a destination MAC address and a source MAC address of the SYN message II into a destination MAC address and a source MAC address in the SYN message I; filling the Ethernet header in the SYN message II and sending the SYN message II to the link layer destination host of the SYN message I;
the TCP proxy kernel module can intercept and capture a SYN message II before the MAC address is looked up through a BR _ ENTRY point, performs destination address conversion, and converts a destination MAC address and a source MAC address of the SYN message II into a destination MAC address and a source MAC address in the SYN message I; considering that other routers may exist between the host B and the Linux bridge device, filling the Ethernet header in the SYN message II and sending the SYN message II to the link layer destination host of the SYN message I;
and S6, replying a corresponding SYN ACK message after the host B receives the SYN message II, redirecting the SYN ACK message to a TCP agent process module, and replying a corresponding ACK message by the TCP agent process module, so that the Linux bridge device is disguised as the host A to complete the establishment of the TCP connection with the host B.
And the communication connection between the host A and the host B is established.
Normal communication can be carried out after the TCP connection between the host A and the host B is established, and the TCP data message processing from the host A to the host B comprises the following steps:
t1, the host A sends TCP data message to the host B, and the TCP data message is marked as TCP data message one;
the T2 and Linux bridge equipment intercept the TCP data message I, redirect the TCP data message I to a TCP proxy process module, read the data carried by the TCP data message I through a Socket1 by the TCP proxy process module, send the read data out through a Socket2, and record the TCP data message sent out from the Socket2 as a TCP data message II;
the TCP proxy kernel module can intercept a TCP data message I through HOOK of a PREROUTING point, the address conversion module carries out target address conversion to convert a target IP address and a target port in the TCP data message I into a local IP address of the Linux bridge device and a port monitored by the TCP proxy process module, the TCP data message I is redirected to the TCP proxy process module, the TCP proxy process module reads data carried by the TCP data message I through Socket1, the read data is sent out through Socket2, Mark Mark X on the corresponding TCP data message, and record the TCP data message sent out from the Socket2 as a TCP data message II.
T3, enabling the TCP data message II to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message II into the source IP address and the source port in the TCP data message I; enabling the TCP data message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the TCP data message II to a network bridge module in the Linux network bridge equipment;
the message with the Mark Mark X or MarkY is forwarded through the set gateway which is in the same network segment with the network bridge module through the configured strategy route, so that the routing module is deceived to ensure that the routing module considers that the three-layer data of the target host can be reached, and the data packet or the message cannot be discarded; the strategy routing enables the second TCP data message to bypass routing selection in the Linux network bridge device, and converts a source IP address and a source port in the second TCP data message into a source IP address and a source port in the first TCP data message; the static ARP can enable the TCP data message II to bypass an ARP inquiry process in the Linux network bridge equipment and send the TCP data message II to a network bridge module in the Linux network bridge equipment;
t4, intercepting a TCP data message II, and converting a destination MAC address and a source MAC address of the TCP data message II into a destination MAC address and a source MAC address in the TCP data message I; and filling the Ethernet header in the TCP data message II and sending the TCP data message II to the link layer destination host of the TCP data message I.
The TCP proxy kernel module can intercept a TCP data message II before the MAC address is looked up through a BR _ ENTRY point, and converts a destination MAC address and a source MAC address of the TCP data message II into a destination MAC address and a source MAC address in the TCP data message I; and filling the Ethernet header in the TCP data message II and sending the TCP data message II to the link layer destination host of the TCP data message I.
The TCP data message processing from the host B to the host A comprises the following steps:
u1, host B sends TCP data message to host A, and it is marked as TCP data message three;
the U2 and the Linux bridge device intercept the TCP data message III, redirect the TCP data message III to the TCP proxy process module, the TCP proxy process module reads data carried by the TCP data message III through a Socket2, sends out the data carried by the TCP data message III through the Socket1 and marks the data, the Mark is marked as Mark Y, and the TCP data message sent out from the Socket1 is marked as TCP data message IV;
the TCP proxy kernel module can intercept a TCP data message III through HOOK of a PREROUTING point, the address conversion module performs target address conversion to convert a target IP address and a target port in the TCP data message III into a local IP address of the Linux bridge device and a port monitored by the TCP proxy process module, redirects the TCP data message III to the TCP proxy process module, the TCP proxy process module reads data carried by the TCP data message III through Socket2, sends out the data carried by the TCP data message III through Socket1, marks Mark Y on the corresponding TCP data message, and records that the TCP data message sent out from Socket1 is a TCP data message IV;
u3, enabling the TCP data message IV to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message IV into the source IP address and the source port in the TCP data message III; the TCP data message IV bypasses the ARP query process in the Linux network bridge equipment through the configured static ARP, and the TCP data message IV is sent to a network bridge module in the Linux network bridge equipment;
the strategy routing enables the TCP data message IV to bypass the routing selection in the Linux bridge device, and a source IP address and a source port in the TCP data message IV are converted into a source IP address and a source port in the TCP data message III; the TCP data message IV bypasses the ARP query process in the Linux network bridge equipment through the static ARP, and the TCP data message IV is sent to a network bridge module in the Linux network bridge equipment;
u4, intercepting a TCP data message IV, and converting a destination MAC address and a source MAC address of the TCP data message IV into a destination MAC address and a source MAC address in a TCP data message III; and filling the Ethernet header in the TCP data message four and sending the TCP data message four to the link layer destination host of the TCP data message one.
The TCP proxy kernel module can intercept a TCP data message four before the MAC address table lookup through a BR _ ENTRY point, and converts a destination MAC address and a source MAC address of the TCP data message four into a destination MAC address and a source MAC address in a TCP data message three; and filling the Ethernet header in the TCP data message four and sending the TCP data message four to the link layer destination host of the TCP data message one.

Claims (13)

  1. The method for realizing TCP transparent proxy on Linux bridge equipment is characterized by comprising the following steps of establishing TCP connection between a host A and a host B, and processing TCP data messages between the host A and the host B after the TCP connection is established, wherein the TCP connection established between the host A and the host B comprises the following steps:
    s1, sending a SYN message request of TCP to a host B by the host A to establish TCP connection, and recording the SYN message as a SYN message I;
    s2, intercepting the SYN message I by the Linux bridge device, recording the information of the SYN message I, redirecting the TCP connection to a TCP agent process module in the Linux bridge device, disguising that a host B sends a corresponding SYN ACK message to a host A by the TCP agent process module, and replying the corresponding ACK message by the host A, so that the Linux bridge device completes the establishment of the TCP connection with the host A and records the Socket corresponding to the TCP connection as Socket 1;
    s3, the TCP proxy process module sends a SYN message request of TCP to the host B to establish TCP connection, the SYN message is recorded as SYN message two, the Socket corresponding to the TCP connection is recorded as Socket2, and the messages sent out through the Socket2 are all marked and recorded as Mark X;
    s4, enabling a SYN message II with Mark X to bypass the routing selection inside the Linux bridge device through the configured strategy routing, performing source address conversion, and converting a source IP address and a source port in the SYN message II into a source IP address and a source port in the SYN message I; enabling the SYN message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the SYN message II to a network bridge module in the Linux network bridge equipment;
    s5, intercepting a SYN message II, performing destination address conversion, and converting a destination MAC address and a source MAC address of the SYN message II into a destination MAC address and a source MAC address in the SYN message I; filling the Ethernet header in the SYN message II and sending the SYN message II to the link layer destination host of the SYN message I;
    and S6, replying a corresponding SYN ACK message after the host B receives the SYN message II, redirecting the SYN ACK message to a TCP agent process module, and replying a corresponding ACK message by the TCP agent process module, so that the Linux bridge device is disguised as the host A to complete the establishment of the TCP connection with the host B.
  2. 2. The method for implementing TCP transparent proxy on a Linux bridge device of claim 1, wherein the TCP data packet processing between host a and host B comprises host a to host B TCP data packet processing, the host a to host B TCP data packet processing comprising the steps of:
    t1, the host A sends TCP data message to the host B, and the TCP data message is marked as TCP data message one;
    the T2 and Linux bridge equipment intercept the TCP data message I, redirect the TCP data message I to a TCP proxy process module, read the data carried by the TCP data message I through a Socket1 by the TCP proxy process module, send the read data out through a Socket2, and record the TCP data message sent out from the Socket2 as a TCP data message II;
    t3, enabling the TCP data message II to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message II into the source IP address and the source port in the TCP data message I; enabling the TCP data message II to bypass an ARP inquiry process in the Linux network bridge equipment through the configured static ARP, and sending the TCP data message II to a network bridge module in the Linux network bridge equipment;
    t4, intercepting a TCP data message II, and converting a destination MAC address and a source MAC address of the TCP data message II into a destination MAC address and a source MAC address in the TCP data message I; and filling the Ethernet header in the TCP data message II and sending the TCP data message II to the link layer destination host of the TCP data message I.
  3. 3. The method for implementing TCP transparent proxy on a Linux bridge device of claim 1, wherein the TCP data packet processing between host a and host B comprises host B to host a TCP data packet processing, the host B to host a TCP data packet processing comprising the steps of:
    u1, host B sends TCP data message to host A, and it is marked as TCP data message three;
    the U2 and the Linux bridge device intercept the TCP data message III, redirect the TCP data message III to the TCP proxy process module, the TCP proxy process module reads data carried by the TCP data message III through a Socket2, sends out the data carried by the TCP data message III through the Socket1 and marks the data, the Mark is marked as Mark Y, and the TCP data message sent out from the Socket1 is marked as TCP data message IV;
    u3, enabling the TCP data message IV to bypass the routing selection inside the Linux bridge device through the configured strategy routing, and converting the source IP address and the source port in the TCP data message IV into the source IP address and the source port in the TCP data message III; the TCP data message IV bypasses the ARP query process in the Linux network bridge equipment through the configured static ARP, and the TCP data message IV is sent to a network bridge module in the Linux network bridge equipment;
    u4, intercepting a TCP data message IV, and converting a destination MAC address and a source MAC address of the TCP data message IV into a destination MAC address and a source MAC address in a TCP data message III; and filling the Ethernet header in the TCP data message four and sending the TCP data message four to the link layer destination host of the TCP data message one.
  4. 4. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 2, wherein the step of intercepting the SYN message by the Linux bridge device in step S2 comprises: adopting a netfilter module in Linux network bridge equipment to add HOOK at a PREROUTING point to intercept the SYN message I;
    in step T2, the step of intercepting the TCP data message by the Linux bridge device includes: and intercepting the TCP data message I by adopting HOOK added at a PREROUTING point by a netfilter module in the Linux bridge equipment.
  5. 5. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 3, wherein the step of intercepting the SYN message by the Linux bridge device in step S2 comprises: adopting a netfilter module in Linux network bridge equipment to add HOOK at a PREROUTING point to intercept the SYN message I;
    in the step U2, the step of intercepting the TCP data message by the Linux bridge device includes: and intercepting the TCP data message III by adopting a HOOK point added at a PREROUTING point by a netfilter module in the Linux bridge equipment.
  6. 6. The method for implementing TCP transparent proxy on Linux bridge device of claim 1, 2 or 3, wherein the information of recording SYN message one in step S2 includes recording at least source IP address, destination IP address, source port, destination port, source MAC address and destination MAC address of SYN message one.
  7. 7. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 2, wherein the step of redirecting the TCP connection to a TCP proxy process module within the Linux bridge device in step S2 comprises: performing target address conversion to convert a target IP address and a target port in the SYN message I into a local IP address of the Linux network bridge equipment and a port monitored by a TCP agent process module;
    the step of redirecting the TCP data packet one to the TCP proxy process module in step T2 includes: and performing target address conversion to convert the target IP address and the target port in the TCP data message I into a local IP address of the Linux network bridge equipment and a port monitored by the TCP agent process module.
  8. 8. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 3, wherein the step of redirecting the TCP connection to the TCP proxy process module within the Linux bridge device in step S2 comprises: performing target address conversion to convert a target IP address and a target port in the SYN message I into a local IP address of the Linux network bridge equipment and a port monitored by a TCP agent process module;
    the step of redirecting the TCP data packet three to the TCP proxy process module in the step U2 includes: and converting the target address into a local IP address of the Linux network bridge equipment and a port monitored by the TCP agent process module.
  9. 9. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 1, wherein the step of disguising the TCP proxy process module as the host a sending a SYN message of TCP to the host B requesting to establish a TCP connection in step S3 comprises: and the TCP proxy process module acquires the destination IP address and the destination port of the SYN message I, and creates a Socket2 according to the destination IP address and the destination port.
  10. 10. The method for implementing TCP transparent proxy on Linux bridge device according to claim 1, 2 or 3, wherein the configured policy routing is to forward the message with Mark X or MrakY through the gateway in the same network segment with the bridge module; and the configured static ARP is to set a destination MAC address in a message with Mark X or MrakY as the destination MAC address of the gateway.
  11. 11. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 2, wherein the method adopted in the step S5 for intercepting the SYN message two is: adopting a netfilter module in Linux network bridge equipment to add HOOK to intercept a SYN message II before the MAC address is looked up, and recording the HOOK point as BR _ ENTRY;
    in step T4, a network filter module in the Linux bridge device is used to add HOOK before the MAC address lookup is performed to intercept the TCP data message two.
  12. 12. The method for implementing a TCP transparent proxy on a Linux bridge device of claim 3, wherein the method adopted in the step S5 for intercepting the SYN message two is: adopting a netfilter module in Linux network bridge equipment to add HOOK to intercept a SYN message II before the MAC address is looked up, and recording the HOOK point as BR _ ENTRY;
    in step U4, a netfilter module in the Linux bridge device is used to add HOOK before the MAC address lookup to intercept the TCP data message four.
  13. The system for realizing the TCP transparent proxy on the Linux bridge equipment is characterized by comprising the Linux bridge equipment, wherein the Linux bridge equipment comprises a bridge module, a TCP proxy kernel module, a routing module, an address conversion module, a Socket communication module and a TCP proxy process module;
    the bridge module is used for communication of a data link layer;
    the TCP proxy kernel module is used for intercepting and capturing messages, recording message information, and modifying a destination MAC address and a source MAC address of the messages according to needs, and comprises a netfilter module;
    the route selection module is used for executing a normal route forwarding function;
    the address translation module is used for realizing the functions of source address translation and destination address translation;
    the Socket communication module is used for establishing a Socket between the TCP agent process module and the host A and a Socket between the TCP agent process module and the host B;
    the TCP agent process module is used for disguising a target host and establishing TCP connection with a source host, and disguising the source host and establishing new TCP connection with the target host, wherein the host A and the host B are a source host and a target host;
    the address resolution module is used for ARP inquiry.
CN201811458579.0A 2018-11-30 2018-11-30 Method and system for realizing TCP transparent proxy on Linux network bridge equipment Active CN109547452B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811458579.0A CN109547452B (en) 2018-11-30 2018-11-30 Method and system for realizing TCP transparent proxy on Linux network bridge equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811458579.0A CN109547452B (en) 2018-11-30 2018-11-30 Method and system for realizing TCP transparent proxy on Linux network bridge equipment

Publications (2)

Publication Number Publication Date
CN109547452A CN109547452A (en) 2019-03-29
CN109547452B true CN109547452B (en) 2021-04-02

Family

ID=65852119

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811458579.0A Active CN109547452B (en) 2018-11-30 2018-11-30 Method and system for realizing TCP transparent proxy on Linux network bridge equipment

Country Status (1)

Country Link
CN (1) CN109547452B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447144A (en) * 2020-04-01 2020-07-24 中核武汉核电运行技术股份有限公司 Application routing method based on transparent proxy
CN112671869B (en) * 2020-12-15 2023-01-10 北京天融信网络安全技术有限公司 Network bridge transparent proxy method, device, electronic equipment and storage medium
CN114125030A (en) * 2021-11-30 2022-03-01 北京天融信网络安全技术有限公司 Connection tracking method, device, electronic equipment and computer readable storage medium
CN115499410B (en) * 2022-07-29 2023-06-23 天翼云科技有限公司 NAT penetration method, device, equipment and storage medium based on Linux
CN116233237B (en) * 2022-12-13 2024-01-26 山东安控信息科技有限公司 Transparent proxy network shutdown and working method thereof

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1437115A (en) * 2002-02-08 2003-08-20 联想(北京)有限公司 Method of realizing firewall exchange type transparent deputy
CN101394364A (en) * 2008-10-30 2009-03-25 西安电子科技大学 MIPv6 seamless switching method based on dual network cards
US7864788B2 (en) * 2007-03-13 2011-01-04 Cymphonix Corporation System and method for bridging proxy traffic in an electronic network
CN103491065A (en) * 2012-06-14 2014-01-01 中兴通讯股份有限公司 Transparent proxy and transparent proxy realization method
CN104994137A (en) * 2015-05-27 2015-10-21 四川卫士通信息安全平台技术有限公司 Method of network readezvous point
CN106230898A (en) * 2016-07-21 2016-12-14 网宿科技股份有限公司 The data processing method of network system, proxy server and application thereof and system
CN108667675A (en) * 2018-08-14 2018-10-16 浙江亿邦通信科技有限公司 A kind of communication means, communication equipment and private line of communication are for network method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1437115A (en) * 2002-02-08 2003-08-20 联想(北京)有限公司 Method of realizing firewall exchange type transparent deputy
US7864788B2 (en) * 2007-03-13 2011-01-04 Cymphonix Corporation System and method for bridging proxy traffic in an electronic network
CN101394364A (en) * 2008-10-30 2009-03-25 西安电子科技大学 MIPv6 seamless switching method based on dual network cards
CN103491065A (en) * 2012-06-14 2014-01-01 中兴通讯股份有限公司 Transparent proxy and transparent proxy realization method
CN104994137A (en) * 2015-05-27 2015-10-21 四川卫士通信息安全平台技术有限公司 Method of network readezvous point
CN106230898A (en) * 2016-07-21 2016-12-14 网宿科技股份有限公司 The data processing method of network system, proxy server and application thereof and system
CN108667675A (en) * 2018-08-14 2018-10-16 浙江亿邦通信科技有限公司 A kind of communication means, communication equipment and private line of communication are for network method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于Linux的双出口透明网关的实现;杨伟等;《计算机应用与软件》;20070831;第24卷(第8期);全文 *

Also Published As

Publication number Publication date
CN109547452A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109547452B (en) Method and system for realizing TCP transparent proxy on Linux network bridge equipment
US9448821B2 (en) Method and system for realizing virtual machine mobility
EP1693996B1 (en) Automatic discovery of psuedo-wire peer addresses in ethernet-based networks
US8498295B1 (en) Modular lightweight tunneling mechanisms for transitioning between network layer protocols
EP3065358A1 (en) Method and device for message forwarding
CN112671628B (en) Business service providing method and system
CN101043430B (en) Method for converting network address between equipments
JP2019526983A (en) Separation of control plane function and transfer plane function of broadband remote access server
EP2456130A1 (en) System for network deployment and method for mapping and data forwarding thereof
JP2013504959A (en) Method and system for realizing virtual private network
WO2015143802A1 (en) Service function chaining processing method and device
CN107948150B (en) Message forwarding method and device
US11677717B2 (en) Unified network service that connects multiple disparate private networks and end user client devices operating on separate networks
WO2021073555A1 (en) Service providing method and system, and remote acceleration gateway
WO2017107871A1 (en) Access control method and network device
JP3858884B2 (en) Network access gateway, network access gateway control method and program
JP6386166B2 (en) Translation method and apparatus between IPv4 and IPv6
CN107547403B (en) Message forwarding method, message assistance device, controller and host
JP4925130B2 (en) Communication control method and system
CN110752989A (en) Method and device for forwarding east-west traffic
JP2012085208A (en) Communication method of lisp network
WO2016078235A1 (en) Network translation realization method and apparatus for transiting to ipv6 on the basis of pant
CN117439815B (en) Intranet penetration system and method based on reverse transparent bridging
US10693673B2 (en) Method and apparatus for routing data to cellular network
US20230388397A1 (en) Resolving Overlapping IP Addresses in Multiple Locations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant